Hacked not once, but twice… One woman’s tale of her IRS tax refund fraud and her stolen identity

“I want my life back,” Christine Cortese says.

She’s been the victim of tax-related identity theft — twice this year.

In April, she and her husband received a suspicious bank card in the mail under his name. After showing the Green Dot prepaid card to their accountant, Cortese called the IRS and discovered someone had fraudulently filed for their joint tax refund. They had been hacked.

“It took months to fix. First, you’re required to file a report of identity theft with the local police department,” she says. Her husband, a cardiologist, got off work at 2 a.m. and drove to the Upper Dublin Township, Pa., police station to do just that.

“They had no idea what we were talking about,” Cortese recalls, noting that local law enforcement jurisdictions are unfamiliar with the flood of paperwork required in an identity-theft case.

She also contacted the IRS’s Identity Protection Specialized Unit (1-800-908-4490), all three credit bureaus, and the state.

Then in early September, Cortese and her husband found out they’d been hacked again – this time through the IRS’s online “Get Transcript” database. They had not accessed the database themselves.

The IRS shut down the database in May. In August, the agency mailed letters to Cortese and her husband and about 390,000 other taxpayers whose 2014 tax information may have been stolen through Get Transcript, an application to obtain prior-year tax returns for purposes such as loans and student financial aid. The couple discovered that their son, a dependent, also may have had his information stolen.

IRS Commissioner John Koskinen has said that since the data breach, about 13,000 questionable returns were filed for tax year 2014, for which the IRS issued refunds totaling about $39 million (an average of $3,000 per return).

Taxpayers were offered by the IRS a year of free credit monitoring, as well as PIN numbers to authenticate their identities.

But Cortese, a chemistry teacher, is still waiting. She and her husband haven’t yet received their PINs from Uncle Sam – nor do they have any idea whether their identities remain compromised.

Cortese is convinced the two hacks are related, but the IRS won’t comment on specific cases, says Jennifer Jenkins, IRS field media-relations representative for Ohio, Pennsylvania, and West Virginia.

“As it did in May, the IRS is moving aggressively to protect taxpayers whose account information may have been accessed,” the IRS said in a statement.

Cortese’s accountant, David Zalles of Blue Bell, Pa., says the case is mystifying.

“Christine has always maintained her maiden name and her Social Security number, and yet somehow the thief filed what looked like a valid joint return for the couple,” he notes.

What’s even scarier is Cortese and her husband don’t file their returns electronically, and instead do paper filing. She avoids social media such as Facebook and LinkedIn.

“We are under siege. I can’t sleep, I can’t think, and my husband is a different man now,” Cortese says of the stress from the two hacking incidents. “My dream is to face these criminals in court – although they’re probably in Russia or China.”

For now, she just wants the PIN numbers the IRS promised.

Surprisingly, Cortese says, the state was extremely helpful. Cortese contacted the office of Taxpayers’ Rights Advocate in Harrisburg (717-772-9347), and director Marva Patterson explained that cases of identity theft require separate filings: a copy of the local police report; the prior year’s tax returns; a copy of a state driver’s license and passport; and the state’s own affidavit form.

E-filing’s role

By expanding its online services, the IRS put taxpayer data at greater risk, the U.S. Treasury Inspector General for Tax Administration told Congress in June.

“Providing taxpayers more avenues to obtain answers to their tax questions or to access their own tax records online provides more opportunities for exploitation by hackers and other fraudsters,” J. Russell George, the inspector general, warned in testimony before the Senate Finance Committee.

Hackers overcame a multistep authentication process that required the taxpayer’s Social Security number, date of birth, tax filing status, and home address. They also had to answer what the IRS called “out-of-wallet” authentication questions that only taxpayers would typically know, such as the amount of a monthly home mortgage or car payments.

One update: Until recently, the IRS would not allow victims of identity theft to see the phony returns. But as a result of Congress’ scrutiny, the agency has changed its policy regarding disclosure of fraudulent returns to identity-theft victims.

Still, Cortese says, she “feels helpless and hopeless. As a human being, I’ve taken it all inside.”